> -----Original Message-----
> From: Chris Wilson [mailto:chris+exim@qwirx.com]
> Sent: October-21-13 9:06 AM
> To: Grant Peel
> Cc: exim-users@???
> Subject: Re: [exim] Authenticated User Ratelimiting
>
> Hi Grant,
>
> On Mon, 21 Oct 2013, Grant Peel wrote:
>
> > Recent events have left us wanting to add rate limiting to our exim
> > configuration.
> >
> > I have seen several examples in various places on the web and
> > everything I can find in the exim specification, and I must say I am a
> > little more than confused.
> >
> > All I really want to do is ratelimit everyone (locally authenticated)
> > to 250/hour ? as a start anyways.
>
> This is what I use:
>
> acl_smtp_auth = acl_check_auth
>
> ...
>
> begin acl
>
> ...
>
> acl_check_auth:
>
> defer
> ! hosts = 217.155.111.88/29 : 82.68.244.64/29
> ratelimit = 30 / 1h / strict / $sender_host_address
> # delay = 30s
> message = Too many auth attempts, slow down
> log_message = Sender $sender_host_address AUTH rate \
> $sender_rate/$sender_rate_period exceeds limit \
> ($sender_rate_limit)
>
> So in your case, you probably want "ratelimit = 250 / 1h / strict /
global" to use
> the same key (the word "global") for all IP addresses.
>
> Note that this will allow a remote host to deny service to your users by
making
> a large number of auth attempts, and the failure mode is very public as
users'
> clients will show an error message when they try to authenticate. So
probably
> you really want "/ $sender_host_address" instead of "/ global". You
probably
> also want to except known IP addresses from this "defer" statement, to
keep
> your customers/users happy.
>
> You may want to trial this with "warn" instead of "defer" as the verb, so
that
> you'll see messages in the logs if users exceed it. Combined with "delay =
5s"
> you will actually succeed in slowing down cracking attempts a lot, without
ever
> failing an auth request.
>
> So I recommend you start with something like this:
>
> warn
> ! hosts = 217.155.111.88/29 : 82.68.244.64/29
> ratelimit = 30 / 1h / strict / $sender_host_address
> delay = 5s
> # message = Too many auth attempts, slow down
> log_message = Sender $sender_host_address AUTH rate \
> $sender_rate/$sender_rate_period exceeds limit \
> ($sender_rate_limit)
>
> Cheers, Chris.
> --
> _____ __ _
> \ __/ / ,__(_)_ | Chris Wilson <chris+sig@???> Cambs UK | / (_/
,\/ _/
> /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer | \__/_/_/_//_/___/ |
We
> are GNU : free your mind & your software |
Hi Chris,
Thanks for the expedient reply, much appreciated.
Two (quick?) questions:
1) My config seems to me to be quite complex and as such I don't want to
break it, where in the ACL_CHECK_AUTH list should I place the paragraph? I
am guessing right at the start....
2) Is the Auth 'per authenticated user' per IP address? i.e. I don't want to
block a specific IP for all users due to 1 users overage ... hope I worded
that question correctly.
Regards,
-G
